The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To enable deny ace support for seq based feature, use the hardware access-list allow deny ace command. To disable this feature, use the nno form of the command.
hardware access-list allow deny ace
no hardware access-list allow deny ace
This command has no arguments or keywords.
Disabled
Global configuration
Release |
Modification |
---|---|
6.1(3) |
This command was introduced. |
This command does not require a license.
Note | Deny ace feature is not supported on F1 module. |
This example shows how to enable deny ace feature:
switch# configure terminal switch(config)# hardware access-list allow deny ace switch(config)#
This example shows how to disable deny ace feature:
switch# configure terminal switch(config)# no hardware access-list allow deny ace switch(config)#
Command |
Description |
---|---|
hardware access-list update |
Configures how a supervisor module updates an I/O module with changes to an ACL. |
To enable access control list (ACL) capture on all virtual device contexts (VDCs), use the hardware access-list capture command. To disable ACL capture, use the no form of the command.
hardware access-list capture
no hardware access-list capture
This command has no arguments or keywords.
Disabled
Global configuration
Release |
Modification |
---|---|
6.1(1) |
Added support for M2 series modules. |
5.2(1) |
This command was introduced. |
Only M Series modules support ACL capture.
ACL capture is a -assisted feature and is not supported for the management interface or for control packets originating in the supervisor. It is also not supported for software ACLs such as SNMP community ACLs and virtual teletype (VTY) ACLs.
Enabling ACL capture disables ACL logging for all VDCs and the rate limiter for ACL logging.
Only one ACL capture session can be active at any given time in the system across VDCs.
This command does not require a license.
This example shows how to enable ACL capture on all VDCs:
switch# configure terminal switch(config)# hardware access-list capture
This example shows how to disable ACL capture on all VDCs:
switch # configure terminal switch(config)# no hardware access-list capture
Command |
Description |
---|---|
hardware access-list update |
Configures how a supervisor module updates an I/O module with changes to an ACL. |
To enable access control list (ACL) ternary control address memory (TCAM) bank mapping for feature groups and classes, use the hardware access-list resource feature bank-mapping command. To disable ACL TCAM bank mapping, use the no form of the command.
hardware access-list resource feature bank-mapping
no hardware access-list resource feature bank-mapping
This command has no arguments or keywords.
Disabled
Global configuration
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
This command is available only in the default virtual device context (VDC) but applies to all VDCs.
F1 Series modules do not support ACL TCAM bank mapping. Resource pooling and ACL TCAM bank mapping cannot be enabled at the same time.
This example shows how to enable ACL TCAM bank mapping for feature groups and classes:
switch(config)# hardware access-list resource feature bank-mapping
Command |
Description |
---|---|
show system internal access-list feature bank-class map |
Displays the ACL TCAM bank mapping feature group and class combination tables. |
To allow ACL-based features to use more than one TCAM bank on one or more I/O modules, use the hardware access-list resource pooling command. You can also enable flexible TCAM bank chaining feature with PORT-VLAN or VLAN-VLAN modes. To restrict ACL-based features to using one TCAM bank on an I/O module, use the no form of this command.
hardware access-list resource pooling [ port-vlan | vlan-vlan ] module { module-number | all }
no hardware access-list resource pooling [ port-vlan | vlan-vlan ] module { module-number | all }
module |
Specifies the module. |
port-vlan |
Specifies the port-vlan mode that allows you to configure a single port feature and a single VLAN feature on a destination per direction. |
vlan-vlan |
Specifies the vlan-vlan mode that allows you to configure two VLAN features on a destination per direction. |
module-number |
Specifies the I/O module(s). The slot-number-list argument allows you to specify modules by the slot number that they occupy. You can specify a single I/O module, a range of slot numbers, or comma-separated slot numbers and ranges. |
all |
Specifies all the modules. Note that the PORT-VLAN and VLAN-VLAN modes are supported only on the F3 modules. So, you cannot enable the flexible TCAM bank chaining for all the modules. |
None
Global configuration
Release |
Modification |
---|---|
7.3(0)D1(1) |
This command was modified to support flexible bank chaining feature with VLAN-VLAN and PORT-VLAN modes. |
4.2(1) |
The hyphen was removed between the resource and pooling keywords. |
4.1(2) |
This command was introduced. |
By default, each ACL-based feature can use one TCAM bank on an I/O module. This default behavior limits each feature to 16,000 TCAM entries. If you have very large security ACLs, you may encounter this limit. The command allows you to make more than 16,000 TCAM entries available to ACL-based features.
If you want to enable bank chaining for the entire system, Cisco recommends adding the configuration for the entire module range, even if a module is not present, using the module range command, as described in the Examples section.
This command does not require a license.
This example shows how to enable ACL programming across TCAM banks on the I/O module in slot 1:
switch# configure terminal switch(config)# hardware access-list resource pooling module 1
This example shows how to enable bank chaining for all modules in a 10-slot chassis (excluding supervisor slots 5 and 6):
switch# configure terminal switch(config)# hardware access-list resource pooling module 1-4, 7-10
When a new module is inserted, bank chaining is enabled automatically for that module, without you having to remember to enter the command.
This example shows how to enable VLAN-VLAN mode for the module 3:
switch# configure terminal switch(config)# hardware access-list resource pooling vlan-vlan module 3
Command |
Description |
---|---|
hardware access-list update |
Configures atomic or non-atomic update of access-list, and default access-list result during the non-atomic hardware update. |
show running-config all |
Displays the running configuration, including the default configuration. |
show system internal access-list globals |
Displays the access control list (ACL) ternary content addressable memory (TCAM) common information along with the bank chaining mode. |
To configure how a supervisor module updates an I/O module with changes to an access-control list (ACL), use the hardware access-list update command in the default virtual device context (VDC). To disable atomic updates, use the no form of this command.
hardware access-list update { atomic | default-result permit }
no hardware access-list update { atomic | default-result permit }
atomic |
Specifies that the device performs atomic updates, which do not disrupt traffic during the update. By default, a Cisco Nexus 7000 Series device performs atomic ACL updates. |
default-result permit |
Specifies that, during non-atomic updates, the device permits traffic that the updated ACL applies to. |
atomic
Global configuration
Release |
Modification |
---|---|
4.1(4) |
This command is available only in the default VDC. |
4.1(2) |
This command was introduced to replace the platform access-list update command. |
In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only and affects all VDCs.
By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all preexisting entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails.
If an I/O module lacks the resources required for an atomic update, you can disable atomic updates by using the no hardware access-list update atomic command in the default VDC; however, during the brief time required for the device to remove the preexisting ACL and implement the updated ACL, traffic that the ACL applies to is dropped by default.
If you want to permit all traffic that an ACL applies to while it receives a nonatomic update, use the hardware access-list update default-result permit command in the default VDC.
This command does not require a license.
Note | In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only. To verify that the current VDC is the VDC 1 (the default VDC), use the show vdc current-vdc command. |
This example shows how to disable atomic ACL updates:
switch# configure terminal switch(config)# no hardware access-list update atomic
This example shows how to permit affected traffic during a nonatomic ACL update:
switch# configure terminal switch(config)# hardware access-list update default-result permit
This example shows how to revert to the atomic update method:
switch# configure terminal switch(config)# no hardware access-list update default-result permit switch(config)# hardware access-list update atomic
Command |
Description |
---|---|
show running-config all |
Displays the running configuration, including the default configuration. |
To configure rate limits in packets per second on supervisor-bound traffic, use the hardware rate-limiter command. To revert to the default, use the no form of this command.
hardware rate-limiter { access-list-log { packets | disable } [ module module [ port start end ] ] | copy { packets | disable } [ module modulemodule [ port start end ] ] | f1 { rl-1 { packets | disable } [ module module [ port start end ] ] | rl-2 { packets | disable } [ module module [ port start end ] ] | rl-3 { packets | disable } [ module module [ port start end ] ] | rl-4 { packets | disable } [ module module [ port start end ] ] | rl-5 { packets | disable } [ module module [ port start end ] ] } | layer-2 { l2pt { packets | disable } [ module module [ port start end ] ] | mcast-snooping { packets | disable } [ module module [ port start end ] ] | port-security { packets | disable } [ module module [ port start end ] ] | storm-control { packets | disable } [ module module [ port start end ] ] | vpc-low { packets | disable } [ module module [ port start end ] ] } | layer-3 { control { packets | disable } [ module module [ port start end ] ] | glean { packets | disable } [ module module [ port start end ] ] | glean-fast { packets | disable } [ module module [ port start end ] ] | mtu { packets | disable } [ module module [ port start end ] ] | multicast { packets | disable } [ module module [ port start end ] ] | ttl { packets | disable } [ module module [ port start end ] ] } | receive { packets | disable } [ module module [ port start end ] ] | | | [ portgroup-multiplier multiplier module module ] }
nohardware rate-limiter { access-list-log { packets | disable } [ module module [ port start end ] ] | copy { packets | disable } [ module modulemodule [ port start end ] ] | f1 { rl-1 { packets | disable } [ module module [ port start end ] ] | rl-2 { packets | disable } [ module module [ port start end ] ] | rl-3 { packets | disable } [ module module [ port start end ] ] | rl-4 { packets | disable } [ module module [ port start end ] ] | rl-5 { packets | disable } [ module module [ port start end ] ] } | layer-2 { l2pt { packets | disable } [ module module [ port start end ] ] | mcast-snooping { packets | disable } [ module module [ port start end ] ] | port-security { packets | disable } [ module module [ port start end ] ] | storm-control { packets | disable } [ module module [ port start end ] ] | vpc-low { packets | disable } [ module module [ port start end ] ] } | layer-3 { control { packets | disable } [ module module [ port start end ] ] | glean { packets | disable } [ module module [ port start end ] ] | glean-fast { packets | disable } [ module module [ port start end ] ] | mtu { packets | disable } [ module module [ port start end ] ] | multicast { packets | disable } [ module module [ port start end ] ] | ttl { packets | disable } [ module module [ port start end ] ] } | receive { packets | disable } [ module module [ port start end ] ] | | | [ portgroup-multiplier multiplier module module ] }
access-list-log |
Specifies packets copied to the supervisor module for access list logging. The default rate is 100 packets per second. |
||
packets |
Number of packets per second. The range is from 1 to 33554431. |
||
disable |
Disables the rate limiter. |
||
module module |
(Optional) Specifies a module number. The range is from 1 to 18. |
||
port start end |
(Optional) Specifies a port start index. The range is from 1 to 32. You specify the start port and and end port with a space in between them. |
||
copy |
Specifies data and control packets copied to the supervisor module. The default rate is 30000 packets per second. |
||
f1 |
Specifies the control packets from the F1 modules to the supervisor. |
||
rl-1 |
Specifies the F1 rate-limiter 1. |
||
rl-2 |
Specifies the F1 rate-limiter 2. |
||
rl-3 |
Specifies the F1 rate-limiter 3. |
||
rl-4 |
Specifies the F1 rate-limiter 4. |
||
rl-5 |
Specifies the F1 rate-limiter 5. |
||
layer-2 |
Specifies Layer 2 packet rate limits. |
||
l2pt |
Specifies Layer 2 Tunnel Protocol (L2TP) packets. The default rate is 4096 packets per second. |
||
mcast-snooping |
Specifies Layer 2 multicast-snooping packets. The default rate is 10000 packets per second. |
||
port-security |
Specifies port security packets. The default is disabled. |
||
storm-control |
Specifies broadcast, multicast, and unknown unicast storm-control packets. The default is disabled. |
||
vpc-low |
Specifies Layer 2 control packets over the virtual port channel (vPC) low queue. It synchronizes control-plane communication between vPC peer switches that are of a lower priority and protects the control plane when a vPC peer switch misbehaves or excessive traffic occurs between the two. The default rate is 4000 packets per second. |
||
layer-3 |
Specifies Layer 3 packet rate limits. |
||
control |
Specifies Layer-3 control packets. The default rate is 10000 packets per second. |
||
glean |
Specifies Layer-3 glean packets. The default rate is 100 packets per second. |
||
glean-fast |
Specifies Layer 3 glean fast-path packets. The default rate is 100 packets per second. |
||
mtu |
Specifies Layer-3 maximum transmission unit (MTU) failure redirected packets. The default rate is 500 packets per second. |
||
multicast |
Specifies Layer-3 multicast packets per second. |
||
ttl |
Specifies Layer-3 failed time-to-live redirected packets. The default rate is 500 packets per second. |
||
receive |
Specifies packets redirected to the supervisor module. The default rate is 30000 packets per second. |
||
portgroup-multiplier multiplier |
Specifies the multiplier value. The range is from 0.10 to 3.00. The default value is 1.00.
|
See the Syntax Description for the default rate limits.
Default rate limits for the F1 Series modules:
RL-1: 4500 packets per second
RL-2: 1000 packets per second
RL-3: 1000 packets per second
RL-4: 100 packets per second
RL-5: 1500 packets per second
Global configuration
Release |
Modification |
---|---|
6.2(12) |
Added the portgroup-multiplier keyword and the multiplier parameter. |
6.2(2) |
Added the glean-fast keyword. |
5.1(1) |
Added the f1, rl-1, rl-2, rl-3, rl-4, and rl-5 keywords. Also, added the following keywords: module, disable, and port. |
5.0(2) |
Added the l2pt keyword. |
4.1(2) |
This command was introduced to replace the platform rate-limit command. |
Glean fast-path is enabled by default. If glean fast-path programming does not occur due to adjacency resource exhaustion, the system falls back to regular glean programming.
The hardware rate-limiter layer-3 glean-fast {packets | disable} [module module [port start end]] command sends packets to the supervisor from F2e, M1, or M2 Series modules.
The hardware rate-limiter portgroup-multiplier multiplier module module command applies the multiplier to the rate limit. For example, if you configured the ttl rate-limiter as 1000 pps and the multiplier value was 0.5, each ASIC instance would be programmed with 500 pps.
This command does not require a license.
This example shows how to configure a rate limit for control packets:
switch# configure terminal switch(config)# hardware rate-limiter layer-3 control 20000
This example shows how to revert to the default rate limit for control packets:
switch# configure terminal switch(config)# no hardware rate-limiter layer-3 control
This example shows how to configure the port group multiplier:
switch# configure terminal switch(config)# hardware rate-limiter portgroup-multiplier 0.5 module 3
Command |
Description |
---|---|
clear hardware rate-limiter |
Clears rate-limit statistics. |
show hardware rate-limiter |
Displays rate-limit information. |
show running-config |
Displays the running configuration. |
To verify the advertised hop-count limit, use the hop-limit command in RA guard policy configuration mode.
hop-limit { maximum | minimum } limit
maximum limit |
Verifies that the hop-count limit is lower than that set by the limit argument. |
minimum limit |
Verifies that the hop-count limit is greater than that set by the limit argument. |
No hop-count limit is specified.
RA guard policy configuration
(config-ra-guard)
Release |
Modification |
---|---|
8.0(1) |
This command was introduced. |
The hop-limit command enables verification that the advertised hop-count limit is greater than or less than the value set by the limit argument. Configuring the minimum limit keyword and argument can prevent an attacker from setting a low hop-count limit value on the hosts to block them from generating traffic to remote destinations; that is, beyond their default router. If the advertised hop-count limit value is unspecified (which is the same as setting a value of 0), the packet is dropped.
Configuring the maximum limit keyword and argument enables verification that the advertised hop-count limit is lower than the value set by the limit argument. If the advertised hop-count limit value is unspecified (which is the same as setting a value of 0), the packet is dropped.
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and sets a minimum hop-count limit of 3:
switch(config)# ipv6 nd raguard policy raguard1 switch(config-ra-guard)# hop-limit minimum 3
Command |
Description |
---|---|
ipv6 nd raguard policy |
Defines the RA guard policy name and enters RA guard policy configuration mode. |
To specify a host or a subnet as a member of an IPv4-address object group, use the host command. To remove a group member from an IPv4-address object group, use the no form of this command.
[sequence-number] host IPv4-address
no { sequence-number | host IPv4-address }
[sequence-number] IPv4-address network-wildcard
no IPv4-address network-wildcard
[sequence-number] IPv4-address / prefix-len
no IPv4-address / prefix-len
sequence-number |
(Optional) Sequence number for this group member. Sequence numbers maintain the order of group members within an object group. Valid sequence numbers are from 1 to 4294967295. If you do not specify a sequence number, the device assigns a number that is 10 greater than the largest sequence number in the current object group. |
host IPv4-address |
Specifies that the group member is a single IPv4 address. Enter IPv4-address in dotted-decimal format. |
IPv4-address network-wildcard |
IPv4 address and network wildcard. Enter IPv4-address and network-wildcard in dotted-decimal format. Use network-wildcard to specify which bits of IPv4-address are the network portion of the address, as follows: switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255 A network-wildcard value of 0.0.0.0 indicates that the group member is a specific IPv4 address. |
IPv4-address/prefix-len |
IPv4 address and variable-length subnet mask. Enter IPv4-address in dotted-decimal format. Use prefix-len to specify how many bits of IPv4-address are the network portion of the address, as follows: switch(config-ipaddr-ogroup)# 10.23.176.0/24 A prefix-len value of 32 indicates that the group member is a specific IP address. |
None
IPv4 address object group configuration.
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
To specify a subnet as a group member, use either of the following forms of this command:
[sequence-number] IPv4-address network-wildcard
[sequence-number] IPv4-address / prefix-len
Regardless of the command form that you use to specify a subnet, the device shows the IP-address/prefix-len form of the group member when you use the show object-group command.
To specify a single IPv4 address as a group member, use any of the following forms of this command:
[sequence-number] host IPv4-address
[sequence-number] IPv4-address 0 .0 .0 .0
[sequence-number] IPv4-address /32
Regardless of the command form that you use to specify a single IPv4 address, the device shows the host IP-address form of the group member when you use the show object-group command.
This command does not require a license.
This example shows how to configure an IPv4-address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
10.121.57.234/32switch# configure terminal switch(config)# object-group ip address ipv4-addr-group-13 switch(config-ipaddr-ogroup)# host 10.121.57.102 switch(config-ipaddr-ogroup)# switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255 switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13 10 host 10.121.57.102 20 host 10.121.57.234 30 10.23.176.0/24 switch(config-ipaddr-ogroup)#
Command |
Description |
---|---|
object-group ip address |
Configures an IPv4 address group. |
show object-group |
Displays object groups. |
To specify a host or a subnet as a member of an IPv6-address object group, use the host command. To remove a group member from an IPv6-address object group, use the no form of this command.
[sequence-number] host IPv6-address
no { sequence-number | host IPv6-address }
[sequence-number] IPv6-address /network-prefix
no IPv6-address /network-prefix
sequence-number |
(Optional) Sequence number for this group member. Sequence numbers maintain the order of group members within an object group. Valid sequence numbers are from 1 to 4294967295. If you do not specify a sequence number, the device assigns a number that is 10 greater than the largest sequence number in the current object group. |
host IPv6-address |
Specifies that the group member is a single IPv6 address. Enter IPv6-address in colon-separated, hexadecimal format. |
IPv6-address /network-prefix |
IPv6 address and a variable-length subnet mask. EnterIPv6-address in colon-separated, hexadecimal format. Use network-prefix to specify how many bits of IPv6-address are the network portion of the address, as follows: switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96 A network-prefix value of 128 indicates that the group member is a specific IPv6 address. |
None
IPv6 address object group configuration.
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
To specify a subnet as a group member, use the following forms of this command:
[sequence-number] IPv6-address /network-prefix
To specify a single IP address as a group member, use any of the following forms of this command:
[sequence-number] host IPv6-address
[sequence-number] IPv6-address /128
Regardless of the command form that you use to specify a single IPv6 address, the device shows the hostIPv6-address form of the group member when you use the show object-group command.
This command does not require a license.
This example shows how to configure an IPv6-address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
10.121.57.234/32switch# configure terminal switch(config)# object-group ipv6 address ipv6-addr-group-A7 switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1 switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128 switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7 10 host 2001:db8:0:3ab0::1 20 host 2001:db8:0:3ab0::2 30 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)#
Command |
Description |
---|---|
object-group ipv6 address |
Configures an IPv6 address group. |
show object-group |
Displays object groups. |